Akamai DNS: Providing Authoritative Answers to the World's Queries

We present Akamai DNS, one of the largest authoritative DNS infrastructures in the world, that supports the Akamai content delivery network (CDN) as well as authoritative DNS hosting and DNS-based load balancing services for many enterprises. As the starting point for a significant fraction of the world's Internet interactions, Akamai DNS serves millions of queries each second and must be resilient to avoid disrupting myriad online services, scalable to meet the ever increasing volume of DNS queries, performant to prevent user-perceivable performance degradation, and reconfigurable to react quickly to shifts in network conditions and attacks. We outline the design principles and architecture used to achieve Akamai DNS's goals, relating the design choices to the system workload and quantifying the effectiveness of those designs. Further, we convey insights from operating the production system that are of value to the broader research community.

[1]  Stephen McQuistin,et al.  Taming Anycast in the Wild Internet , 2019, Internet Measurement Conference.

[2]  Christian E. Hopps,et al.  Analysis of an Equal-Cost Multi-Path Algorithm , 2000, RFC.

[3]  Vinod Yegneswaran,et al.  An empirical reexamination of global DNS behavior , 2013, SIGCOMM.

[4]  Chris Baker Dyn, DDoS, and the {DNS} , 2016 .

[5]  E. Tronci,et al.  1996 , 1997, Affair of the Heart.

[6]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[7]  Ratul Mahajan,et al.  Analyzing the Performance of an Anycast CDN , 2015, Internet Measurement Conference.

[8]  Vasileios Kotronis,et al.  Inferring Catchment in Internet Routing , 2019, Proc. ACM Meas. Anal. Comput. Syst..

[9]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[10]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[11]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[12]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[13]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[14]  Bu-Sung Lee,et al.  Availability and effectiveness of root DNS servers: A long term study , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[15]  Aziz Mohaisen,et al.  Where Are You Taking Me? Behavioral Analysis of Open DNS Resolvers , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[16]  Mark Allman,et al.  On modern DNS behavior and properties , 2013, CCRV.

[17]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[18]  Marcin Nawrocki,et al.  Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs , 2019, Internet Measurement Conference.

[19]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[20]  SermpezisPavlos,et al.  Inferring Catchment in Internet Routing , 2019 .

[21]  Georgios Kambourakis,et al.  Detecting DNS Amplification Attacks , 2007, CRITIS.

[22]  Wolfgang Mühlbauer,et al.  Comparing DNS resolvers in the wild , 2010, IMC '10.

[23]  Mark Allman,et al.  Towards a Model of DNS Client Behavior , 2016, PAM.

[24]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[25]  Duane Wessels,et al.  Authority server selection in DNS caching resolvers , 2012, CCRV.

[26]  Anees Shaikh,et al.  On the responsiveness of DNS-based network control , 2004, IMC '04.

[27]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[28]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[29]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[30]  Aiko Pras,et al.  Broad and load-aware anycast mapping with verfploeter , 2017, Internet Measurement Conference.

[31]  Duane Wessels,et al.  A day at the root of the internet , 2008, CCRV.

[32]  Mark Allman,et al.  Assessing DNS Vulnerability to Record Injection , 2014, PAM.

[33]  John S. Heidemann,et al.  Anycast Latency: How Many Sites Are Enough? , 2017, PAM.

[34]  Anees Shaikh,et al.  On the effectiveness of DNS-based server selection , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[35]  Giovane C. M. Moura,et al.  Recursives in the wild: engineering authoritative DNS servers , 2017, Internet Measurement Conference.

[36]  Ramesh K. Sitaraman,et al.  End-User Mapping: Next Generation Request Routing for Content Delivery , 2015, Comput. Commun. Rev..

[37]  ChenFangfei,et al.  End-User Mapping , 2015 .

[38]  Andreas Terzis,et al.  On the Use of Anycast in DNS , 2005, Proceedings of 15th International Conference on Computer Communications and Networks.

[39]  Florian Wohlfart,et al.  Leveraging interconnections for performance: the serving infrastructure of a large CDN , 2018, SIGCOMM.

[40]  Edward P. Lewis,et al.  DNS Zone Transfer Protocol (AXFR) , 2010, RFC.

[41]  Giovane C. M. Moura,et al.  When the Dike Breaks: Dissecting DNS Defenses During DDoS , 2018, Internet Measurement Conference.

[42]  L. Miles,et al.  2000 , 2000, RDH.

[43]  Carlo Contavalli,et al.  RFC 7871 - Client Subnet in DNS Queries , 2016 .

[44]  Ramesh K. Sitaraman,et al.  A transport layer for live streaming in a content delivery network , 2004, Proceedings of the IEEE.

[45]  Mark Allman,et al.  DNS Resolvers Considered Harmful , 2014, HotNets.

[46]  Bruce M. Maggs,et al.  Designing overlay multicast networks for streaming , 2003, SPAA '03.

[47]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.